Domain Names Like .Food May Leave Bad Taste

Symantec, Go Daddy, Trend Micro and other digital certificate authorities raise security, other concerns with ICANN about the pending release of new top-level domain names.

A group of the world's largest digital certificate authorities (CAs) is warning of potentially serious security and networking risks for businesses when Internet domain names ending in the likes of .food or .law soon join .com and other currently available suffixes.

The Internet Corporation for Assigned Names and Numbers (ICANN) is readying the release of thousands of new generic top-level domains (gTLDs). Approved domains could become available as soon as April 23. Therein lies an underlying cause of potential problems, according to DigiCert associate general counsel Jeremy Rowley.

"ICANN is moving a little too fast with these new gTLDs without really giving people time to get ready," Rowley said in an interview.

Rowley is a member of the CA Security Council (CASC) alongside executives from Symantec, Comodo, Entrust, GMO GlobalSign, Trend Micro and Go Daddy. While some Internet stakeholders have focused on marketing, brand and legal issues with the new domain names, CASC is raising its red flags about the common use of "internal names" by businesses when setting up and managing their private networks. These are, in effect, private domain names such as .mail or .corp that aren't currently resolvable using the public domain name system (DNS) -- but could soon be.

When that happens, digital certificate owners and Web server operators could face security problems and other headaches. CAs currently issue digital certificates for these internal domains. But if those same names become available as public gTLDs, the bad guys could get digital certificates for those domains for the purposes of running man-in-the-middle attacks and other security threats.

"Say .corp gets [released as a gTLD] -- a bad guy could go and get the certificate and then use it for an attack against the new gTLD after it becomes operational," Rowley said. While CAs are preparing for such scenarios, the risks still loom.

Beyond the digital certificate issue is a similar set of challenges for Web server operators at large. When their internal names such as .mail or .corp become part of the public Internet, costly networking conflicts and security holes could arise. As once-private domains get public counterparts, email clients, filesharing applications and other services will, to put it plainly, become confused. The only real solution is for administrators to essentially re-architect their networks, a process that could take some organizations several years because of budget, staffing and technical know-how.

"You're asking Web server operators to go in and reconfigure the servers, sometimes buy new hardware, hire brand-new staff and things like that in a very short timeframe," Rowley said.

While once considered a security and networking best practice, the use of internal names such as .corp is set to be wound down over the next several years. The CA/Browser Forum has published guidelines for deprecating internal server names by 2016, and trusted CAs will stop issuing certificates for internal names altogether as of November 2015. Current CAB Forum guidelines will also require CAs to stop issuing certificates for internal names within 100 days of being delegated as a new gTLD. That still leaves a considerable gap between the pending release of thousands of new gTLDs and the planned phase-out of internal names.

While ICANN itself has acknowledged the issue, CASC and others say the organization hasn't addressed the full scope of the potential problems. ICANN did not respond to emailed requests for comment.

PayPal recently sent ICANN a public letter expressing similar unease with the release of new gTLDs. Verisign has also published a letter and report on its own risk findings. PayPal noted that while the use of internal domain names may have been misguided in hindsight, it has been a widespread practice for two decades, often at the recommendation of hardware and software vendors. Moreover, abandoning the use of internal names can, as DigiCert's Rowley pointed out, be an arduous task. "For example, re-naming a Microsoft Active Directory Forest is often operationally impossible," the letter reads.

The PayPal letter continued by outlining the potential networking conflicts and ensuing fallout: "Consider a typical enterprise laptop configured to look for network services ending in .corp. What happens when that system roams to a public network, such as the user's home or a public Wi-Fi hotspot?" PayPal's answer: Dozens of services will start hemorrhaging sensitive corporate and personal data, such as usernames and passwords, network authentication credentials, and other information, if and when .corp and other internal names are released as gTLDs on the Internet.

"The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems." PayPal said.

According to DigiCert's Rowley, the bulk of the potential problems would be mitigated if ICANN postponed the release of four new gTLDs: .ads, .bank, .corp and .mail. That would wipe out 90% of the potential problems in CASC's analysis; the other 10% are easily remediated, in the group's view.

PayPal's list, on the other hand, includes the top 10 current invalid domain queries, such as "local," "localhost" and "home," and focuses on the broader set of networking risks beyond digital certificates. Rowley concurred that those networking challenges will likely be the real burden as new gTLDs start rolling off the assembly line.

"CAs can take care of the certificate problem, and I think we have done so and done so quickly in a way that mitigates the problem," Rowley said. "What we can't take care of is getting the people with these networks to change in what amounts to overnight for them."

The question then is: Who will take care of it? In its report's conclusions, Verisign warned in no uncertain terms against moving forward on blind faith: "Addressing these issues doesn't simply mean publishing a speciﬁcation and expecting the community to have immediately implemented it and be capable of responding to all operational and security corner cases conveyed therein."

Easily overlooked vulnerabilities could put your data and business at risk. Also in the new, all-digital 10 Web Threats special issue of Dark Reading: How hackers compromised an iOS developers' website to exploit Java plug-in vulnerabilities and attack Apple, Facebook, Microsoft and Twitter. (Free with registration.)

If that happens, we'll be in the same pain game as others now find themselves.

It's would be beyond ridiculous for the top IT purveyors (Microsoft, etc.) to push IT for decades to use internal Domain names such as .local only to have someone like ICANN turn around one day and take that Domain extension Public.

up to I saw the draft which was of $5583, I did not believe that...my... mother in law woz really bringing home money part time on their apple labtop.. there aunts neighbour has been doing this 4 only twentey months and just now paid for the dept on their cottage and bought a great Fiat Multipla. this is where I went............ ZOO80. Gäéom

As if there aren't already enough Internet security risks. This isn't good and it should only be implemented if all security risks have been eliminated. It looks as if the Internet is becoming more and more unsafe. Look at all those Ddos attacks and the latest attack on Wordpress. See also http://weloveourhost.com/domai... for domain name registration and security.

This is really bad for business. Categorizing domain names has never worked. .com doesn't mean a commercial entity, .net doesn't mean network and .org or doesn't mean not for profit. This original idea was not well thought out and there is no global policing organization to make sure people play within a stated domain extension, nor can there be.

A non-categorized domain name system like Simplified Domains with a 3-back system whereby you can enter anything within the browser and the period is placed "3-back" for you is the only way to legitimately expand the system. Simplified was proposed in the late 90's by RMI (Rocky Mountain Internet) and presented to ICANN in LA. Google simplified domains rmi to read more about it.

Since the current expansion process has been started, the after market for domain names has tanked. The value of .com's have fallen dramatically and anything else is hard to sell for any price. This is now a rich man's game and consumer are about to be completely confused with dot this and that strategy.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.